Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

High CPU usage on UF

mmoermans
Path Finder
‎02-01-2018 12:53 AM

We've been noticing a high CPU use on a windows splunk forwarder that only has a simple monitor statement.
The following monitor is used:

--inputs.conf
[monitor://\server\data$\LogDir*.log]
disabled = false
index = dataindex
sourcetype = datatype

With a few date.log files to monitor and the correct output to the indexers.

Does anyone know what the cause might be for the high CPU? The _internal logs show nothing of interest.

0 Karma
Reply

MousumiChowdhur
Contributor
‎03-12-2018 11:44 PM

Hi @mmoermans,

It's always recommended not to use wildcard in the monitor stanza if you really have less number of files to be monitored.

Also, verify the below points-
1. Number of files that are getting monitored by the command ./splunk list monitor.
2. Size of the log files.
3. Proper parsing of the log files.
4. Check if any older files are being monitored and if so you can ignore those.

I hope you would find something from checking the above listed points.

Thanks.

Reply

nickhills
Ultra Champion
‎02-01-2018 01:07 AM

If possible, always install the forwarder on the server with the files - mounting a remote share to pull data into a UF is inefficient.
Its not always possible ( I know) but UNC file shares add failure points, latency and network overhead you are better off avoiding if possible. - Probably not the direct cause of you issue, but worth considering.

What version of UF/Windows? and how big are they logs. Do they break nicely? - Have you looked at your queues on the UF?

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...